Russian State-Sponsored Operations Begin to Overlap: Kaspersky

Kaspersky Lab security researchers have uncovered new evidence that shows overlaps between the activity of infamous Russian cyber-espionage groups Turla and Sofacy.

Earlier this year, Kurt Baumgartner, principal security researcher, Kaspersky Lab, revealed that activity associated with the Sofacy group, which is also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, appeared to overlap with that of other state-sponsored operations.

The researcher said at the time that Sofacy’s Zebrocy malware had been discovered on machines also infected with Mosquito, a backdoor previously associated with Turla. The shared victims included organizations in Europe and Asia.

Amid an evolution in the tactics, techniques and procedures (TTPs) employed by the Turla group, also tracked as Snake, Venomous Bear, Waterbug, and Uroboros, Kaspersky Lab has observed further connections with Sofacy, as well as more evidence linking Turla to WhiteBear.

Specifically, the security researchers discovered that Turla’s KopiLuwak malware is employing a delivery mechanism that uses code nearly identical to that previously seen in the Zebrocy operation.

As part of the attack, Turla employed a new spear-phishing delivery vector, relying on Windows shortcut (.LNK) files for malware delivery. The LNK file, Kaspersky discovered, contained PowerShell code almost identical to that used in Zebrocy activity a month earlier.

The investigation also uncovered target overlaps between the two threat actors, focused on sensitive political targets, including government research and security entities, diplomatic missions and military affairs, mainly in central Asia.

The KopiLuwak malware isn’t new, being first associated with the Turla hackers nearly two years ago. In mid-2018, however, the threat actor started using an evolved variant of the malware, targeting entities in Syria and Afghanistan.

KopiLuwak emerged in 2016 as an evolution from IcedCoffee, Turla’s first foray into full-fledged JavaScript backdoors. Focusing on European governments but more selectively deployed, KopiLuwak performs comprehensive system and network reconnaissance, can run arbitrary system commands and uninstalls itself and leaves little evidence for investigators to work with.

In a newly published report, Kaspersky details the discovery and also provides information on the evolution of the KopiLuwak JavaScript backdoor, along with details on the changes observed in the group’s Carbon framework and in the Meterpreter and Mosquito malware delivery techniques.

Turla is expected to continue to update and use the Carbon framework code into 2019 within Central Asia and related remote locations. The group is also expected to use open-source based or inspired fileless components and memory loaders from the Mosquito malware, Kaspersky says.

“It’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group,” Kaspersky notes.